SafeHarbor · Reference Architectures

Where SafeHarbor fits in your security stack

Five archetype deployments. Each shows the other tools SafeHarbor cohabits with, how data flows between them, and what SafeHarbor contributes that SIEMs, EDRs, and CSPMs cannot. Vendor names are representative — SafeHarbor integrates with 2,000+ tools across 25 canonical categories, and every architecture can be reproduced with whichever products the customer has already bought.

A product of Argonaut Cyber, Inc.
Mental model

The cyber control plane

SafeHarbor is not a replacement for your SIEM, EDR, IdP, or CSPM. It is the trust-data layer that sits between those tools and the decisions your security and compliance teams need to make: what to fix, what to enforce, what to report, and what to trust.
ENDPOINT / EDR CrowdStrike · Defender IDENTITY / IdP Okta · Entra ID · AD CLOUD / CSPM Wiz · Prisma · AWS VULN SCANNER Tenable · Qualys · Rapid7 OT / ICS Claroty · Dragos · Nozomi CYBER CONTROL PLANE SafeHarbor Asset graph · Risk · OSCAL Attack paths · Audit chain · Enforcement SIEM Splunk · Sentinel · Elastic ITSM / TICKETING ServiceNow · Jira COMPLIANCE eMASS · Xacta · OSCAL ZERO TRUST PDP Posture signals · Enforcement EXEC REPORTING $-at-risk · Trend · PDF
Endpoint / EDR
Identity
Cloud / CSPM
Vulnerability
OT / ICS
SIEM
ITSM
Compliance
BAS
Architecture 01

Federal DoD / IC SOC

A mission partner runs a classified SOC on a high-side network. FIPS 140-3 is a hard requirement. OSCAL 1.1.2 is a hard requirement. The stack cannot depend on public SaaS or container registries.
FIPS 140-3
BoringCrypto build
OSCAL 1.1.2
Native SSP · POA&M · SAR
85 MB
Single Go binary
Zero
External SaaS dependencies
HIGH-SIDE ENCLAVE · AIR-GAPPED ENDPOINT · EDRCrowdStrike Falcon for Gov IDENTITY · ICAMEntra ID (Azure Gov) · CAC CLOUDAWS GovCloud (US) · Azure Gov VULNTenable SC (ACAS) LOG / SIEMSplunk Enterprise SAFEHARBOR FIPS 140-3 build DGraph · Postgres · NATS HMAC audit chain (CC FAU_STG.1) ITSM · GRCServiceNow GRC COMPLIANCEeMASS / Xacta (OSCAL) ZERO TRUSTPDP / PEP Gateway AUDIT / SIEMSplunk (enforcement events)
LayerExample vendorsSafeHarbor's role
EndpointCrowdStrike Falcon for Government · Microsoft Defender for Endpoint (GCC-H) · Elastic DefendConsumer of asset + vulnerability telemetry
IdentityMicrosoft Entra ID (Azure Government) · Okta for U.S. Government · CAC / PIVConsumer of user, role, and MFA state
SIEMSplunk Enterprise · Microsoft Sentinel (Azure Government) · Elastic SecurityEmits audit + enforcement events outbound
TicketingServiceNow GRC · Jira Data CenterPOA&M items auto-opened / closed
Compliance registereMASS · XactaOSCAL 1.1.2 + eMASS CSV export
Control planeSafeHarborAsset graph · risk · OSCAL · closed-loop enforcement

Trust-data layer for Zero Trust

Signed asset-posture facts (patch state, MFA, EDR coverage, classification tag) are published for consumption by any PDP/PEP. No other tool in the stack produces that composite.

OSCAL-native output

eMASS and Xacta both accept OSCAL; SIEMs and EDRs don't produce it. SafeHarbor does, directly from live graph state.

Closed-loop enforcement

When a control drifts, SafeHarbor's desired-state engine fires a remediation playbook. The enforcement event is itself HMAC-chained for assessor review.

Architecture 02

Federal Civilian / FedRAMP Moderate agency

A civilian agency running on FedRAMP-authorized services needs continuous FISMA/FedRAMP evidence — and needs to answer "where are my unpatched internet-facing assets?" without a 90-day spreadsheet exercise.
CNAPP / CSPMWiz · Prisma · Orca EDRCrowdStrike · Defender VULNTenable SC / One · Qualys IDENTITYOkta · Entra ID ITSMServiceNow ITSM SAFEHARBOR CAASM + OSCAL Live graph across cloud, endpoint, identity & vulns GRC REGISTERServiceNow GRC · Archer FEDRAMP PACKAGEOSCAL SSP · POA&M · SAROn-demand export EXEC REPORTING$-at-risk · 90-day trend SIEMAudit + enforcement stream
LayerExample vendorsSafeHarbor's role
CSPM / CNAPPWiz · Prisma Cloud · OrcaConsumer of cloud misconfigurations
EDRCrowdStrike · DefenderConsumer of endpoint posture
Vuln scannerTenable SC · Tenable One · Qualys VMDR · Rapid7Consumer of CVE findings
IdentityOkta · Entra IDConsumer of user entitlements
Compliance toolingDrata · VantaReplaced for regulated assessment; SafeHarbor emits OSCAL natively
Control planeSafeHarborUnified graph · risk scoring · OSCAL · audit chain

OSCAL 1.1.2 package, not checklists

SSP + POA&M + SAR generated from the same live data the CSPM sees. Drata and Vanta emit checklists, not OSCAL.

One graph, not five spreadsheets

Wiz is cloud-only; CrowdStrike is endpoint-only. Unifying them in Excel is how agencies fail continuous-ATO audits.

90-day dollar-at-risk trend

Linear regression over Timescale history, exportable to executives as PDF or PPTX.

Architecture 03

Commercial Enterprise XDR stack

A mid-market enterprise bought an XDR (CrowdStrike, SentinelOne, Microsoft) and discovered it doesn't answer "which users have admin access without MFA on production servers without EDR." They want a CAASM, but not one that requires a six-month Kubernetes deployment.
XDRCrowdStrike · SentinelOne IdPOkta · Entra ID MDMJamf · Intune VULN SCANTenable VM · Rapid7 InsightVM SAFEHARBOR Attack-path engine 23 AD-style edge types toxic combos · dollar-at-risk TOXIC COMBOSRanked exposure list TICKETINGJira · auto POA&M SIEMSplunk · Datadog · Elastic EXEC BRIEFING$-at-risk for the board
LayerExample vendorsSafeHarbor's role
XDRCrowdStrike · SentinelOne · Defender XDRPrimary endpoint telemetry source
SIEMSplunk · Datadog · ElasticOutbound audit + enforcement stream
IdPOkta · Entra IDIdentity, MFA, and entitlement ingest
MDMJamf · IntuneDevice management state
Vuln scannerTenable VM · Rapid7 InsightVMCVE findings
Control planeSafeHarborCAASM · attack-path · toxic combos · remediation grouping

The composite question

XDRs answer "is this endpoint safe?" SafeHarbor answers "is this business service safe given every asset, user, and relationship it touches?"

Attack paths without domain join

23 AD-style edge types modeled from ingested data. No BloodHound collector running on the DC. Paths rank by exploitability and blast radius.

Patch-group rollup

200 findings collapsed into 12 patch groups, ranked by dollar-at-risk × exploit probability — not CVSS alone.

Architecture 04

CTEM program — scoping through mobilization

The customer is standing up a Continuous Threat Exposure Management program per Gartner's five-stage model and has budget for one BAS vendor. They need the other four stages covered by a CAASM that understands CTEM, not just asset inventory.
STAGE 01 · NATIVE Scoping Business services Tag-scope RBAC Crown-jewel tagging SafeHarbor STAGE 02 · NATIVE Discovery 2,000+ connectors DGraph asset graph 23 relationship edges SafeHarbor STAGE 03 · NATIVE Prioritization Attack paths Toxic combinations $-at-risk ranking SafeHarbor STAGE 04 · PARTNER Validation AttackIQ · SafeBreach Pentera · Horizon3 + OPFOR analysis layer BAS partners + SafeHarbor STAGE 05 · NATIVE Mobilization POA&M auto-open Control-plane enforce Audit-chained evidence SafeHarbor GARTNER CTEM · FIVE STAGES Stages 1, 2, 3, 5 native to SafeHarbor. Stage 4 integrates any BAS vendor — their validation telemetry marks attack paths as validated_live in the graph.
CTEM stagePrimary toolSafeHarbor's role
1. ScopingSafeHarbor business services + tag RBACNative
2. DiscoveryConnectors + DGraph graphNative
3. PrioritizationAttack paths + toxic combos + $-at-riskNative
4. ValidationAttackIQ · SafeBreach · Pentera · Horizon3Partner + OPFOR analysis-layer emulation
5. MobilizationPOA&M · control plane · ticketingNative
Coverage4 of 5 stages nativelyBAS partner story for the fifth

Four of five stages natively

Only Validation requires a partner. Every other CTEM stage ships in the single SafeHarbor binary on day one.

BAS telemetry raises priority

When AttackIQ or Pentera proves a path is exploitable in production, SafeHarbor marks it validated_live and it outranks untested paths.

Audit-chained evidence

An assessor can walk a POA&M item from "opened by CTEM run" to "closed by playbook X, validated by BAS rerun Y" with HMAC-signed continuity.

Architecture 05

OT / ICS critical infrastructure

A utility or manufacturer running a Purdue-model network needs IT + OT asset visibility in a single pane, without agents on Level 0-2 devices. Segmentation gaps between IT and OT should surface as toxic combinations, not as two separate consoles the SOC has to correlate by hand.
LEVEL 0-1 · SENSORS & PLCs Flow meters · PLCs · RTUs · IEDs Modbus / DNP3 / OPC UA · typically non-routable LEVEL 2 · SCADA / HMI SCADA servers · HMI stations · Historian Often Windows-based; patching lags by design LEVEL 3-5 · ENTERPRISE IT Workstations · Active Directory · SaaS · Cloud Standard EDR / IdP / SaaS connector coverage PASSIVEClaroty · Dragos PASSIVENozomi · Claroty AGENTCrowdStrike · AD SAFEHARBOR Unified IT + OT graph Purdue segmentation gaps ISA / IEC 62443 mapping PURDUE GAPIT → OT pivot path detected ENFORCEMENTPalo Alto · Fortinet rule push SIEMSplunk ITSI unified alert COMPLIANCENERC CIP · IEC 62443
LayerExample vendorsSafeHarbor's role
OT passive monitoringClaroty CTD · Dragos · NozomiIngest PLC / SCADA inventory
IT endpointCrowdStrike · DefenderStandard IT ingest
IdentityEntra ID · ADIdentity + admin access
Firewall / NGFWPalo Alto · FortinetEnforcement edge (rule push)
SIEMSplunk ITSIUnified alert stream
Control planeSafeHarborUnified IT/OT graph · segmentation gaps · 62443

One graph spanning IT and OT

Claroty sees the PLCs. CrowdStrike sees the workstations. Neither sees the admin who can pivot Level 5 → Level 2. SafeHarbor does.

Segmentation gap detection

Cross-Purdue paths surface as toxic combinations with a direct enforcement hook for the NGFW, not as a ticket for a human to correlate.

ISA / IEC 62443 native

OT compliance framework mapping ships alongside NIST 800-53, CMMC, and PCI — not a bolt-on module.

Usage

Where this document lives

Internal

docs/business/reference-architectures.html and .md — canonical briefs tied to each GTM segment, shared with sales, SEs, and partner engineering.

External

Each section transplants to a /solutions/<segment> website page. SVG diagrams render standalone; vendor matrices are competitor-neutral.

Fork

For new verticals (HIPAA, PCI, vertical-specific adversary programs) copy one section, replace the vendor matrix and diagram. The SafeHarbor role row is stable: graph, risk, compliance output, closed-loop enforcement.